hakbit | 34b93f1989b272866f023c34a2243978565fcfd23869cacc58ce592c1c545d8e

General

Target

Client-17.exe
Size

60KB
MD5

0f27d1180d28e1bcaf4d66f6b51c087c
SHA1

15a00d3aba362aade900374b6d159de98e8eac62
SHA256

34b93f1989b272866f023c34a2243978565fcfd23869cacc58ce592c1c545d8e
SHA512

7a6f8f1f55fbd37124fdf24ce057f8cb2231ecc2fc4cf9d9028ab83436e64ae59af97a5e4ec1e6587ebcdfe6487f6794450ba961429afba0b24bd6fb48237ea8

Score

10^/10

hakbit ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_MY_FILES_NOT_MAKE_PUBLIC.txt

Family

hakbit

Ransom Note

Atention! all your important files were encrypted! to get your files back send 250 Euro in Bitcoins and contact us on E-Mail with proof of payment and your Key Identifier, you can find this here. We will send you a decryption tool with your personal decryption password. When you not Contact us and Pay, we do make your Data Public on a Websites, where everyone sees their entire computer content from you. -------------------------------------------------------------------------------------------------------------- Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com https://anycoin.eu https://bitpanda.com https://binance.com https://bitcoinbon.at For Switzerland and Austria Bitcoin Automat Värdex - Swiss Clients All SBB Automat - Swiss Clients Bitcoin Bon - Austria Clients You can calculate the Bitcoin rate here: https://preev.com -------------------------------------------------------------------------------------------------------------- Contact: [email protected] Please send us the key identification code via email, which you can see at the bottom of this text as soon as the payment has been made by you. Please send the Bitcoin on this Adress for the Payment: bc1q5dn3tc67wh90mrq65xm8a2z9lr9t0tc2lctwv3 -------------------------------------------------------------------------------------------------------------- GERMAN SPEAK CLIENTS -------------------------------------------------------------------------------------------------------------- Achtung! Alle Ihre Daten wurden verschlüsselt, wenn Sie alle ihre Daten auf Ihrem Rechner wieder wollen, dann Bezahlen Sie 250 Euro in Bitcoins und Kontaktieren Sie uns via E-Mail mit einer Bestätigung der Zahlung an unsere Bitcoin Adresse. Wir senden Ihnen dann ein Entschlüsselungs Programm damit Sie alles wieder Entschlüsseln können. Falls Sie nicht innerhalb ein paar Tagen Bezahlen,werden wir Ihre Date auf einer Webseite veröffentlichen die für jeden Zugänglich ist. Oberhalb des Textes sehen Sie wo Sie die Bitcoins erwerben können um diese an uns zu senden. Bitte senden Sie uns via E-Mail den Key Identifikationscode, diesen sehen Sie ganz unten in diesem Text aufgeführt, sobald die Zahlung getätigt wurde von Ihnen. Unsere Kontakt E-Mail : [email protected] -------------------------------------------------------------------------------------------------------------- Bitte senden sie hierhin die Bitcoins für die Zahlung bc1q5dn3tc67wh90mrq65xm8a2z9lr9t0tc2lctwv3 -------------------------------------------------------------------------------------------------------------- IDENTIFICATIONSKEY - IDENTIFKATIONSCODE / SEND THIS CODE VIA E-MAIL L1kIUMVBjbEiR17vks+oODArJwFMRXrDekxJXoYOKBtWCzPmmQewVxW1TPgC+pNBa7FO+M1OyjUVU8MFCuUSqkhdFUx70YNpMU1VtOTrxtVBMViYzdxD5JL6RSBGnCbW9m7tuB5Ks21ayk/olr1XzV1pfSuz6tN6EYQOgnM0f85CwPIMWEPZ+uV/tj1x+A4b7+6WfwODAfTafgqgz5e2og31DxmLDdu8++OUvE3ew7SkxI72eCkQ0tYJrliQw8zZ4eYZTWt/WIbAQIgr0jdYN5wqVRwH9BBXbcUZOQCphi/o5Va5eDVs8oeqpqu7h6/mGeEfHKNmvep5Q82KsgtpjQ==

Emails

[email protected]

Wallets

bc1q5dn3tc67wh90mrq65xm8a2z9lr9t0tc2lctwv3

Extracted

Credentials

Protocol: ftp
Host:
199.188.200.253
Port:
21
Username:
[email protected]
Password:
13MelisaLening37

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Client-17.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\SwitchPing.png.crypted	Client-17.exe
File created	C:\Users\Admin\Pictures\LimitRepair.raw.crypted	Client-17.exe
File created	C:\Users\Admin\Pictures\UnlockInstall.tiff.crypted	Client-17.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockInstall.tiff	Client-17.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Client-17.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp"	Client-17.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

968 1008 WerFault.exe Client-17.exe

pid	pid_target	process	target process
968	1008	WerFault.exe	Client-17.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1540	vssadmin.exe
1800	vssadmin.exe
1508	vssadmin.exe
1248	vssadmin.exe
1152	vssadmin.exe
792	vssadmin.exe
1240	vssadmin.exe
1580	vssadmin.exe
908	vssadmin.exe
1512	vssadmin.exe
740	vssadmin.exe
1704	vssadmin.exe
1780	vssadmin.exe
1860	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1432 taskkill.exe
1936 taskkill.exe
2008 taskkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

2012 notepad.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

968 WerFault.exe
968 WerFault.exe
968 WerFault.exe
968 WerFault.exe
968 WerFault.exe

pid	process
1432	taskkill.exe
1936	taskkill.exe
2008	taskkill.exe

pid	process
2012	notepad.exe

pid	process
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Client-17.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1008	Client-17.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeBackupPrivilege	384	vssvc.exe
Token: SeRestorePrivilege	384	vssvc.exe
Token: SeAuditPrivilege	384	vssvc.exe
Token: SeDebugPrivilege	968	WerFault.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Client-17.exenotepad.exe

pid process

1008 Client-17.exe
2012 notepad.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Client-17.exe

pid process

1008 Client-17.exe

pid	process
1008	Client-17.exe
2012	notepad.exe

pid	process
1008	Client-17.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-17.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1008 wrote to memory of 1412	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1412	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1412	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1412	1008	Client-17.exe	net.exe
PID 1412 wrote to memory of 384	1412	net.exe	net1.exe
PID 1412 wrote to memory of 384	1412	net.exe	net1.exe
PID 1412 wrote to memory of 384	1412	net.exe	net1.exe
PID 1412 wrote to memory of 384	1412	net.exe	net1.exe
PID 1008 wrote to memory of 1460	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1460	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1460	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1460	1008	Client-17.exe	net.exe
PID 1460 wrote to memory of 1572	1460	net.exe	net1.exe
PID 1460 wrote to memory of 1572	1460	net.exe	net1.exe
PID 1460 wrote to memory of 1572	1460	net.exe	net1.exe
PID 1460 wrote to memory of 1572	1460	net.exe	net1.exe
PID 1008 wrote to memory of 276	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 276	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 276	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 276	1008	Client-17.exe	net.exe
PID 276 wrote to memory of 544	276	net.exe	net1.exe
PID 276 wrote to memory of 544	276	net.exe	net1.exe
PID 276 wrote to memory of 544	276	net.exe	net1.exe
PID 276 wrote to memory of 544	276	net.exe	net1.exe
PID 1008 wrote to memory of 780	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 780	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 780	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 780	1008	Client-17.exe	net.exe
PID 780 wrote to memory of 740	780	net.exe	net1.exe
PID 780 wrote to memory of 740	780	net.exe	net1.exe
PID 780 wrote to memory of 740	780	net.exe	net1.exe
PID 780 wrote to memory of 740	780	net.exe	net1.exe
PID 1008 wrote to memory of 1132	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1132	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1132	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1132	1008	Client-17.exe	net.exe
PID 1132 wrote to memory of 1112	1132	net.exe	net1.exe
PID 1132 wrote to memory of 1112	1132	net.exe	net1.exe
PID 1132 wrote to memory of 1112	1132	net.exe	net1.exe
PID 1132 wrote to memory of 1112	1132	net.exe	net1.exe
PID 1008 wrote to memory of 1544	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1544	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1544	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1544	1008	Client-17.exe	net.exe
PID 1544 wrote to memory of 1512	1544	net.exe	net1.exe
PID 1544 wrote to memory of 1512	1544	net.exe	net1.exe
PID 1544 wrote to memory of 1512	1544	net.exe	net1.exe
PID 1544 wrote to memory of 1512	1544	net.exe	net1.exe
PID 1008 wrote to memory of 1696	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1696	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1696	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1696	1008	Client-17.exe	net.exe
PID 1696 wrote to memory of 1384	1696	net.exe	net1.exe
PID 1696 wrote to memory of 1384	1696	net.exe	net1.exe
PID 1696 wrote to memory of 1384	1696	net.exe	net1.exe
PID 1696 wrote to memory of 1384	1696	net.exe	net1.exe
PID 1008 wrote to memory of 1292	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1292	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1292	1008	Client-17.exe	net.exe
PID 1008 wrote to memory of 1292	1008	Client-17.exe	net.exe
PID 1292 wrote to memory of 1824	1292	net.exe	net1.exe
PID 1292 wrote to memory of 1824	1292	net.exe	net1.exe
PID 1292 wrote to memory of 1824	1292	net.exe	net1.exe
PID 1292 wrote to memory of 1824	1292	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\Client-17.exe
"C:\Users\Admin\AppData\Local\Temp\Client-17.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\net.exe
"net.exe" stop avpsus /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
3⤵
PID:384

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeDLPAgentService /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
3⤵
PID:1572

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfewc /y
2⤵
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
3⤵
PID:544

C:\Windows\SysWOW64\net.exe
"net.exe" stop BMR Boot Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
3⤵
PID:740

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
3⤵
PID:1112

C:\Windows\SysWOW64\net.exe
"net.exe" stop DefWatch /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
3⤵
PID:1512

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccEvtMgr /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
3⤵
PID:1384

C:\Windows\SysWOW64\net.exe
"net.exe" stop ccSetMgr /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
3⤵
PID:1824

C:\Windows\SysWOW64\net.exe
"net.exe" stop SavRoam /y
2⤵
PID:1748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
3⤵
PID:1776

C:\Windows\SysWOW64\net.exe
"net.exe" stop RTVscan /y
2⤵
PID:1784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
3⤵
PID:524

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBFCService /y
2⤵
PID:320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
3⤵
PID:800

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBIDPService /y
2⤵
PID:672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
3⤵
PID:844

C:\Windows\SysWOW64\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
2⤵
PID:1272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
3⤵
PID:568

C:\Windows\SysWOW64\net.exe
"net.exe" stop QBCFMonitorService /y
2⤵
PID:1236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
3⤵
PID:1116

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooBackup /y
2⤵
PID:840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
3⤵
PID:1860

C:\Windows\SysWOW64\net.exe
"net.exe" stop YooIT /y
2⤵
PID:1644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooIT /y
3⤵
PID:1600

C:\Windows\SysWOW64\net.exe
"net.exe" stop zhudongfangyu /y
2⤵
PID:1640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
3⤵
PID:1580

C:\Windows\SysWOW64\net.exe
"net.exe" stop stc_raw_agent /y
2⤵
PID:1560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
3⤵
PID:1928

C:\Windows\SysWOW64\net.exe
"net.exe" stop VSNAPVSS /y
2⤵
PID:1912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
3⤵
PID:1884

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
2⤵
PID:1864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:1984

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
2⤵
PID:1956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
3⤵
PID:1948

C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
2⤵
PID:1932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
3⤵
PID:1148

C:\Windows\SysWOW64\net.exe
"net.exe" stop veeam /y
2⤵
PID:1056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop veeam /y
3⤵
PID:2008

C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
2⤵
PID:636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:2040

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
2⤵
PID:1500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
3⤵
PID:1576

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:1464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
3⤵
PID:1524

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:1572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
3⤵
PID:1620

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
2⤵
PID:824

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
3⤵
PID:740

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
2⤵
PID:744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
3⤵
PID:1648

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
2⤵
PID:1088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
3⤵
PID:1532

C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
2⤵
PID:1372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
3⤵
PID:1376

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
2⤵
PID:1828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
3⤵
PID:1840

C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
2⤵
PID:1792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
3⤵
PID:656

C:\Windows\SysWOW64\net.exe
"net.exe" stop CASAD2DWebSvc /y
2⤵
PID:368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
3⤵
PID:800

C:\Windows\SysWOW64\net.exe
"net.exe" stop CAARCUpdateSvc /y
2⤵
PID:796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
3⤵
PID:1252

C:\Windows\SysWOW64\net.exe
"net.exe" stop sophos /y
2⤵
PID:1260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
3⤵
PID:620

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:1692

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1656

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:1608

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:1740

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1508

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:740

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:1540

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1704

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1780

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1240

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1248

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1860

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1580

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1152

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:908

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:792

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1512

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1800

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_MY_FILES_NOT_MAKE_PUBLIC.txt
2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 1476
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\HELP_ME_MY_FILES_NOT_MAKE_PUBLIC.txt
MD5
1a8e52a24541153ab587b3af0833392f

SHA1
f08187f065d2d89c3edf5b1a426a3aecde63fc81

SHA256
d914f1e873c3224847e5db2ae437eaf69451354e74fc67daa24512ddc3a42939

SHA512
c552cb2355ac68d84418b4dc8285695cf7ab9ca13c151409f146929d892de918bc4433d826bae60f0fd2b806f3472125b60eb8055079a0c29a6171e47970b55b

Download Submit
memory/968-3-0x00000000021D0000-0x00000000021E1000-memory.dmp

Filesize
68KB

Download
memory/968-4-0x00000000027A0000-0x00000000027B1000-memory.dmp

Filesize
68KB

Download
memory/1008-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads